Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Browse Source

Maintenance: Elaborate the security process description

Martin Gruner 5 months ago
parent
fce41f2305
commit
0f99c1c16d
1 changed files with 34 additions and 7 deletions
Split View Show Diff Stats
  1. 34 7
      SECURITY.md

+ 34 - 7
SECURITY.md
View File 

@@ -36,7 +36,15 @@ you about the next steps. Accepted vulnerabilities will
 
 be disclosed via patch level release with accompanying
 
 security advisory.
 
 
-## Rewards
 
+### Reporting Process Overview
 
+
 
+- Potential security issues can be reported via security@zammad.com.
 
+- We evaluate them and provide timely feedback to the reporter.
 
+- There may be security releases created if needed, e.g. https://zammad.com/en/releases/6-3-1.
 
+- We publish security advisories for every acknowledged issue, like https://zammad.com/en/advisories/zaa-2024-04.
 
+- After their publication, we request CVE identifiers to be assigned to the advisories.
 
+
 
+### Rewards
 
 
 Every first reporter of a vulnerability may be credited
 
 in the related security advisory.
 
@@ -44,10 +52,29 @@ in the related security advisory.
 
 Zammad does not offer financial compensation through a
 
 security bounty program.
 
 
-## Process Overview
 
+## Security Measures in Development Workflow
 
 
-- Potential security issues can be reported via security@zammad.com.
 
-- We evaluate them and provide timely feedback to the reporter.
 
-- There may be security releases created if needed, e.g. https://zammad.com/en/releases/6-3-1.
 
-- We publish security advisories for every acknowledged issue, like https://zammad.com/en/advisories/zaa-2024-04.
 
-- After their publication, we request CVE identifiers to be assigned to the advisories.
 
+Most of our relevant GitLab related configuration related to
 
+Ruby security analysis can be seen in [.gitlab/ci/lint.yml](.gitlab/ci/lint.yml#L49).
 
+With this, you can also locally reproduce the results.
 
+
 
+### Dependency Management
 
+
 
+We use renovate bot to keep our Ruby and JS dependencies up-to-date by automatic merge requests in our internal GitLab. This config is not visible in our source code, but you can see frequent commits from it in our history, like [this one](https://github.com/zammad/zammad/commit/a61b205e4ba41fca1ec7c85323ec6045fc3672e5).
 
+
 
+### Dependency Security Analysis
 
+
 
+As you can see in the GitLab job linked above, we use
 
+[bundle-audit](https://github.com/rubysec/bundler-audit) to scan for
 
+known security issues in Ruby gems.
 
+
 
+### Static Ruby Code Analysis
 
+
 
+We use [brakeman](https://brakemanscanner.org/) to scan for
 
+insecure Ruby code constructs, along with an [ignore file](config/brakeman.ignore)
 
+that lists known exceptions.
 
+
 
+### Static JS Code Analysis
 
+
 
+We use the [SonarJS](https://github.com/SonarSource/SonarJS) plugin for
 
+ESLint for this.